Data: the little-discussed nightmare of a “no-deal Brexit”

One of the many issues being glossed over by the people claiming a so-called “no deal Brexit” would not result in business chaos is that of data handling. Under an organised departure from the European Union, arrangements could be made during the transition period to confirm UK data protection standards were acceptable to the EU (which obviously they are currently), and everyday transactions could continue. If the UK declared itself as no longer part of the EU without any arrangements, it would become a “third country” and would have to be granted “adequacy”, a process which has been done in 18 months, but one that could take much longer.

Apart from international data being a major commodity in itself (with the UK a big player), and the serious security and intelligence implications, data underpins so much of our business. This paper takes a long look at the situation, and states: “There has been intense political focus on the issue of trade in goods, particularly as regard the border with Ireland. By comparison, issues relating to data flows and trade in services more broadly have been neglected. Yet they may be as important for the economy, especially in future. In the same way that disruption to trade in goods, in the form of border checks and delays at ports necessitated by divergent regulatory regimes, could have damaging knock-on effects for the UK economy, compliance costs and reduced investment caused by disruption to EU-UK data flows would do too.”

Transferring data to and from the EU after a “no deal Brexit” would still be possible, but would require costly legal arrangements for businesses and any other organisations. Larger companies might have the resources to do this, but it will be challenging for smaller ones, who will be at risk of large fines from the EU if nothing is put in place. The EU would, after all, just be continuing to uphold the interests of its own citizens. There’s a government toolkit that attempts to explain the implications to UK businesses and organisations which receive personal data from the European Economic Area (including the EU) or operate in it. This says that “if your organisation receives personal data from the EU/EEA, you should review your contracts and, where absent, include Standard Contractual Clauses (SCC) or other Alternative Transfer Mechanisms (ATM) to ensure that you can continue to legally receive personal data from the EU/EEA.” An example would be a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services. Immediately, most of us just start to glaze over at the thought of what these legalities might involve.

I assume most businesses that buy from or sell to the EU are hoping that “no deal Brexit” is just an expensive political bluff from the UK government, which is actually relying on parliament ensuring it doesn’t happen. Surveys suggest that while the government is willing to spend millions of pounds preparing for this threatened course of action, most businesses are doing very little. Your company will have to make up its own mind as to the risk it’s prepared to take.